Remote command injection in Composer before version 1.6.4

Author: Michael Hanselmann. Updated: April 16, 2018

Composer is a dependency manager for PHP. Before version 1.6.4 its Mercurial, Fossil, Subversion and Git source downloaders did not properly escape arguments when extracting commit logs (HgDownloader::getCommitLogs, FossilDownloader::getCommitLogs, SvnDownloader::getCommitLogs and GitDownloader::getCommitLogs). References from repositories are passed unescaped to a shell. At least for Mercurial it's possible to engineer a package repository such that a tag name can be interpreted as a valid shell command and is executed on the client. The affected functions are invoked when a dependency is updated from source in verbose mode.

The upstream developers were quick to respond to the initial report and pushed a fix within less than 3 days, discovering one additional case the author didn't notice at first. An announced release, Composer 1.6.4, was made on April 13, 2018, less than 4 days after the initial report.